Assessing new domain environment

Active DirectoryPowerShell

Written by:

I had a free day yesterday, and I always love to spend my free time on the Xbox or PlayStation, depends on the mood. So while I’m rushing and jumping all over Australia with my Lamborghini, I got a phone call, my first instinct was to mute it and continue with my race, but it was a good friend.. so I muted it anyway 😶. When I finished the race, I called him back (yes, I’m a good friend😜). after a quick chit chat, he told me that he needs help to assess a new domain environment he need to work on.

Can you blame me for not answering the phone?

He told me that he needs to get some basic information about those topics:

  • Forest information
  • Domain information
  • GPO information
  • DHCP authorized server information
  • Users information
  • Group information

I asked him to prepare a computer in the domain with Remote Server Administration Tools (RSAT) and get a user credentials in the domain (no special privilege) while I’m writing him a guide.

Forest information:

When we install the RSAT, we get lot of new Powershell cmdlet. One of them is Get-ADForest cmdlet. Using this command we can get information about the active directory forest (surprised?)

Each cmdlet can give us lot of information, and we don’t want to get lost, so in each cmdlet, We will focus on the information I think most relevant, I encourage you to investigate every cmdlet you see here if you don’t familiar with.

We would like to get information about the forest functional level, the domains in the forest, the root domain and schema master dc:

* the reason we put it into a variable first is because we will use it later.

Domain information:

In this part we will use two cmdlets, Get-ADDomain and Get-ADDomainController. we will use those cmdlets to find the functional level of the domains, the PDC and RID master, and information about the domain controllers.

First we will use the Get-ADDomain, we will use it to get the following information: Name,Child Domains,Domain functional level,Infrastructure Master, PDC Emulator, RID Master

Now we will use the Get-ADDomainController to get information about the Domain Controllers in each domain, it will be useful to get information about: Hostname, IPv4Address, Operating System, the LDAP and SSL Ports, and which site it belong to:

This will give us a nice list:

GPO information

Now GPO is super important, and every Domain Services guy will tell you, it can make or break your environment. When we start working on a new environment, We would like to know how many GPO we got and how many of them are not in use.

To get the GPO’s quantity, we can just run:

To get the unlinked GPO’s we can use the following script:

When its done, we can get the information from the $unlinkedGPOs variable.

DHCP authorised server information

DHCP can be a vulnerability, and its something we want to control, we don’t want rogue DHCP servers that will serve wrong IP’s or worst, won’t be sync with the rest and will serve duplicated IP’s.

To get the list of the authorised DHCP Servers we can use the cmdlet:

That easy!

Users information

It’s all about the users, the most critical resource we have in our environment. There are so many things we want to know about them, but we will limit it to the most important in my opinion:

  1. Number of users:
  2. Count Number of active users:
  3. Get number of Locked out users:

Group information

Groups can often be a pain, and it easy to lose control over them, those cmdlets will help us get some control over them:

  1. Number of groups
  2. Getting all the empty groups:

    This will give us a nice list:

Today security is everywhere, and we all share the responsibility to keep our environment secure, we also like to get all the members of the Domain Admins and Enterprise Admins groups, we will ask questions about every member.

Don’t take it lightly. I once saw a company with Domain Users in the Domain Admins group…


One of the most challenging tasks in my job is taking over a domain environment. It can be very complicated, and it can take so much time just to understand what’s going on. There is a lot more information to look for, and lot more topics to investigate, but I think I gave you a nice head start and something to start with.

How will you counter this task? I would love to hear about it!

Comments are closed.